SigmaHQ Integration
SigmaHQ is the official repository of Sigma detection rules maintained by the security community. CHAD can sync with SigmaHQ to browse and import thousands of community rules.What is SigmaHQ?
SigmaHQ contains:- Core rules - Production-ready detections for common threats
- Threat hunting rules - Proactive hunting queries
- Emerging threat rules - Rapid response to new campaigns
- Windows, Linux, macOS
- Network traffic
- Cloud platforms (AWS, Azure, GCP)
- Applications (web servers, databases)
Syncing SigmaHQ
Initial Sync
- Navigate to SigmaHQ in the sidebar
- Click Sync Repository
- Wait for the sync to complete (may take a few minutes)
Automatic Updates
SigmaHQ is updated regularly. Configure automatic sync:- Go to Settings > SigmaHQ
- Enable Auto Sync
- Set sync frequency (daily recommended)
Auto sync runs in the background and doesn’t interrupt your work.
Browsing Rules
After syncing, browse the rule library:Search
Search by:- Title - Rule name
- Tags - MITRE ATT&CK techniques
- Product - Windows, Linux, network
- Severity - Risk level
Filters
Filter rules by:| Filter | Options |
|---|---|
| Category | Core, Threat Hunting, Emerging Threats |
| Product | windows, linux, macos, network, cloud |
| Severity | critical, high, medium, low, informational |
| Status | stable, test, experimental |
Rule Preview
Click any rule to preview:- Full Sigma YAML
- Rule metadata (author, references)
- MITRE ATT&CK mappings
- False positive notes
Importing Rules
Single Rule Import
- Find the rule you want
- Click Import
- Rule is copied to your local rules
- Edit if needed, then deploy
Bulk Import
Import multiple rules at once:- Use filters to find relevant rules
- Select rules with checkboxes (or “Select All”)
- Click Bulk Import
- Review the import summary
- Confirm import
Import Considerations
Field Mapping
SigmaHQ rules use standard Sigma field names. You need:- Field mappings configured for your log schema
- Index patterns that match the rule’s logsource
Rule Customization
Imported rules may need tuning:- Field names - Adjust for your environment
- Severity - Match your risk tolerance
- Tags - Add custom tags
- Exceptions - Tune for your baselines
Tracking Imported Rules
Imported rules are marked with:source: sigmahq- Indicates originsigmahq_path- Original repository path
Updating Rules
When SigmaHQ rules are updated:- Sync the repository
- CHAD identifies rules with changes
- Review changed rules in SigmaHQ > Updates
- Choose to update or keep your version
Rule Categories
Core Rules (rules/)
Production-ready detections:
- Well-tested and validated
- Low false positive rates
- Suitable for automated alerting
Threat Hunting (rules-threat-hunting/)
Proactive hunting queries:
- Broader detection scope
- Higher false positive potential
- Requires analyst review
Emerging Threats (rules-emerging-threats/)
Rapid response rules:
- Created for active campaigns
- May have limited testing
- Time-sensitive relevance
Best Practices
Start with your log sources
Start with your log sources
Only import rules that match logs you’re actually collecting.
Test before deploying
Test before deploying
Run historical tests on imported rules to understand alert volume.
Customize severity
Customize severity
SigmaHQ severity may not match your risk tolerance. Adjust as needed.
Track customizations
Track customizations
Document changes you make to imported rules for future updates.
Stay current
Stay current
Enable auto-sync to get new rules and updates automatically.
Troubleshooting
Sync fails
- Check network connectivity to GitHub
- Verify git is installed in the CHAD container
- Check disk space for repository clone
Rules don’t match logs
- Verify field mappings are configured
- Check index pattern matches logsource
- Test with sample logs
Too many false positives
- Start with
status: stablerules only - Use historical testing before deployment
- Create exception rules for known good activity